Feasibility of Running Fluent Bit as Non-Root User

[PoojithaPrasad2001]

We have a compliance/vulnerability finding raised against our Fluent Bit deployment regarding containers running as the root user.

We would like to check with the Fluent Bit team on the feasibility and supportability of running Fluent Bit as a non-root user in our environment.

Could you please help clarify the following:

1. Does Fluent Bit officially support running as a non-root user?
2. Are there any known limitations or feature impacts when running non-root?
3. Are there recommended securityContext settings (runAsUser, fsGroup, capabilities, etc.)?
4. Are any specific directories/files required to remain writable by root?
5. Have there been any validated deployments or best practices for OpenShift/Kubernetes environments using non-root execution?

[patrick-stephens]

This comes up fairly regularly and the answer is "it depends". Fundamentally there is no specific requirement on having to run as root, it will depend on your configuration and infrastructure.

If you are mounting resources (e.g. files) that are only accessible by root (in your specific infra/config) then you may need to run as root but there are ways to solve that problem: it is not a Fluent Bit issue but an infrastructure one.

[patrick-stephens]

Here's a previous question: #11010

[patrick-stephens]

You can run on Openshift with non-root images, e.g. one I support: https://catalog.redhat.com/en/software/container-stacks/detail/68cfeb03e65464ef8fd4d608

The example makes use of the OSS helm chart which explicitly supports Openshift SCCs:

• https://github.com/fluent/helm-charts/blob/5926203a457c0b08b57d4f98e46eb36307e6cba1/charts/fluent-bit/values.yaml#L56
• https://github.com/fluent/helm-charts/blob/main/charts/fluent-bit/templates/scc.yaml
  You can configure the mounts and SCC in the helm chart to run as non-root in your infrastructure, by default it keeps it simple but it can be configured appropriately to support custom SCC and appropriate mount configuration to allow the image user to read the files.

Similarly whatever resource you are accessing that currently "requires root" likely can be configured so it runs as non-root. However this will depend on your specific setup.